Emerging Threat: New Linux Malware Blends DDoS and Cryptomining Functions
Recent findings from Cyble researchers have uncovered a novel strain of Linux malware that skillfully integrates features from the notorious Mirai botnet with sophisticated, fileless cryptomining capabilities. This combination allows cybercriminals to both disrupt networks and generate illicit financial gains through a single threat vector.
### A Sophisticated Operation
In a blog post released today, Cyble’s threat intelligence team described this campaign as a “sophisticated and financially motivated operation,” which merges botnet propagation with covert cryptomining techniques. The skillful application of stealthy techniques enables this new variant of Mirai to operate under the radar, making it particularly concerning for organizations.
### Evading Detection
The malware employs multiple advanced strategies to remain undetected, utilizing methods such as raw-socket scanning, masqueraded processes, internal localhost inter-process communication (IPC), dynamic DNS resolution, and a fileless miner configuration. These tactics are designed to ensure long-term persistence on infected machines, according to Cyble researchers.
### Dual Functionality: DDoS and Cryptomining
This malware represents a growing trend among cybercriminals who are adopting hybrid monetization strategies. By leveraging infected Linux systems not just for DDoS attacks but also for illicit cryptocurrency mining, attackers are maximizing their returns on investment. Organizations managing Linux servers, cloud workloads, or exposed IoT devices should act promptly to enhance their defenses and maintain ongoing monitoring to mitigate risks.
### Infection Process
The malware initiates a multi-stage infection process that begins with a downloader responsible for distributing architecture-specific V3G4/Mirai binaries across various systems, including x86_64, ARM, and MIPS architectures. The second stage, designated as Mddos.x86_64, features a statically linked and UPX-packed Executable and Linkable Format (ELF) file that has stripped symbols. This makes it particularly challenging to inspect statically.
Once executed, the malware collects system information and then engages stealth mode, disguising its process as a system daemon (systemd-logind). It detaches from the terminal and launches multiple worker threads. These threads serve various functions, including coordinating attack operations, enabling command and control (C2) communication, and managing IPC.
### Precision Scanning Techniques
A defining characteristic of this Mirai variant lies in its use of raw TCP sockets. This allows for the precise crafting of SYN packets, facilitating high-velocity SSH scanning campaigns. Concurrently, worker threads also resolve the C2 domain (baojunwakuang[.]asia) by making repeated queries to Google Public DNS (8.8.8.8), ensuring stable communication channels for command execution.
This multi-threaded DNS resolution method is characteristic of Mirai-style bots, allowing continuous connectivity while executing various attacks in parallel.
### Covert Cryptomining
The malware’s third stage involves deploying a hidden Monero cryptominer. It accomplishes this by downloading a UPX-packed XMRig binary from the IP address 159.75.47[.]123, cleverly storing it in the directory /tmp/.dbus-daemon to mimic a legitimate system process.
Instead of using a traditional local configuration file, the miner acquires its settings dynamically from the C2 server. This real-time configuration enables updates to wallet addresses, mining pools, and algorithms without leaving discernible traces on disk, complicating forensic investigations.
### Dynamic Configuration
In contrast to typical miner setups that embed static configurations, this malware requests runtime data from the C2 server. By doing so, attackers avoid revealing wallet addresses and pool endpoints during static analysis, while also dynamically adapting mining parameters. When the miner executes, it connects to the C2 server to obtain a JSON response containing crucial information like the pool URL, wallet address, mining algorithm, and thread count.
For further insights, the full Cyble blog post offers detailed recommendations for cybersecurity defenders, along with related MITRE ATT&CK techniques and indicators of compromise (IoCs) that can aid in the identification and mitigation of this emerging threat.
